OEMs have been getting better at rolling out Android Security Patches
Back in 2018, researchers from Security Research Labs (SRLabs) published a paper highlighting how several Android OEMs were declaring Android Security Patch levels but weren’t actually incorporating all the necessary patches on their devices. The paper caused quite a stir in the Android community and Google subsequently launched an investigation into each device with a noted “patch gap.” It seems like Google’s investigation has had a positive effect on the Android patch ecosystem, as a recent report from ZDNet points out that Android OEM patch rates have shown significant improvements in the last two years.
The report cites the latest analysis released by SRLabs that takes into account official firmware builds released up until 2019. SRLabs has been tracking these builds to determine how quickly OEMs are updating devices with the latest Android Security Patch Level after Google publishes the monthly Android Security Bulletin. The firm crowdsourced the data from users who had their SnoopSnitch application installed and they identified around 10,000 unique firmware builds with patch levels from 2018, along with 7000 unique firmware builds with patch levels from 2019. Based on the data collected, SRLabs released the following information:
OEMs missed implementing half as many patches in 2019 as they did in 2018. SRLabs refers to this as the “rate of missed patches”, which for 2019 was below 0.4 and for 2018 was 0.7. This value is the average of all missed patches per OEM. They only counted critical and high severity patches in this determination.
Monthly security updates were delivered to users about 15% faster overall, decreasing from an average of 44 days to an average of 38 days. To get these results, SRLabs approximated the difference between the build date of each firmware and the patch level date of that firmware.
Android ecosystem is still fragmented, as many OEMs have to apply security patches to many different Android versions. In addition, many users are still using devices on unsupported EOL versions. SRLabs found that only 30% of unique uploads in 2019 were from users running Android 9 Pie or newer.
OEMs tended to patch their most widely deployed Android versions faster than their less-widely deployed version. For Samsung and Xiaomi, that was Android 7.1.1, while for ASUS that was Android 9. Some OEMs, like Google and HMD Global, patched their devices incredibly quickly. SRLabs attributes this to the fact that these OEMs use vanilla builds and also release fewer devices than some of the others. If you’re interested in learning more about how monthly Android security patch updates work, you can check out our detailed explainer by following this link.